User: Password:
Subscribe / Log in / New account


Umbrella 0.7

May 4, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

This week the Umbrella team released version 0.7 of Umbrella, a "security mechanism" that implements Process-Based Access Control (PBAC) and authentication of signed binaries for Linux. Since Umbrella 0.7 is the first feature complete release, we thought now might be a good time to take a look at the project. Kristian Sørensen, one of the Umbrella Team members, was kind enough to respond to our questions about Umbrella.

While Umbrella sounds a bit like Security-Enhanced Linux or other on the surface, Sørensen pointed out that Umbrella is designed for consumer devices rather than general-purpose servers or other systems, though it might be useful for "specific server environments." Sørensen provided this explanation of Umbrella:

Umbrella does not deal with users, roles, types or domains. The security policy is _only_ enforced on running processes. Every time a new process is created, the policy of its parent is inherited to the child - possibly with additional policies, specified by the parent.

There are two categories of policies: File system restrictions (FSR) and Capability restrictions (CR). A FSR is simply a path (e.g. /etc/passwd), which restricts the process having this policy from accessing that file. If the restriction were "/etc" the entire directory is off limits, and thus a restriction on "/" denies access to the entire file system. The capability restrictions are non-file system restrictions, such as creation of sockets (IP networking, bluetooth etc.), sending signals, creation of new processes etc.

Umbrella has no need for a security administrator to manage the security policy of an entire system. Umbrella relies of the programmers of to embed the security policy into programs. This is done in a very simple manner: By replacing fork() with rfork() and by embedding execute restrictions to the binary.

The security policy in the binaries (both rfork and execute restrictions) is protected by a digital signature: A signed SHA1 hash of the binary is placed in the ELF header, and checked on time of execution. If the binary or its restrictions has been tampered with, the hash will not match and the binary is denied access to run. In order for the signed binaries to be authenticated in the first place, the public key of the vendor must be placed within the key ring of Umbrella.

Umbrella requires a 2.6.9 kernel (or later) and includes a kernel patch, the Umbrella library and a user-space program. Binaries that will be restricted by Umbrella need to be signed using Bsign and GnuPG. Umbrella and DigSig are the only projects this author is aware of that check digital signatures of binaries. The policy for the application is stored in the binary itself.

Since Umbrella can be used to restrict binaries unless they are signed by an authority, we asked Sørensen if Umbrella was similar to so-called "trusted computing" efforts. Sørensen confirmed that Umbrella was "related to 'trusted computing'."

As the binaries are signed you can verify that they are not tampered with on each execution. The unique thing here, is that this "tamper-proof" concept is utilized to protect the security policy and the binary at the same time.

While it's desirable to prevent attacks on consumer electronics devices, we asked if Umbrella could also be used to prevent users from "hacking" devices to expand the capabilities of a device -- something that may not be desirable from the end-user's point of view. Sørensen acknowledged that a device could be designed so that it would be "very difficult" for a user to "tamper with the software of the device."

What about performance? Sørensen said that the team had just finished benchmarking Umbrella, and found that it had "between 2.5% and 4.5% overhead, depending on how the system is stressed. Thus, having Umbrella in the kernel is not noticeable."

According to Sørensen, the Umbrella project started as a master's project, but he has plans to start a company in the fall, based on the Umbrella technology, called Linnovative.

It should be interesting to see how Umbrella develops and whether this approach catches on. It is simpler than SELinux, but doesn't look suitable for use in general systems at this time -- which is a shame, as it would be nice to have a simpler system that's usable for general purpose server and desktop systems. However, Umbrella may be another tool that helps Linux gain acceptance in the embedded and consumer electronics market.

Comments (2 posted)

New vulnerabilities

ethereal: buffer overflow

Package(s):ethereal CVE #(s):CAN-2005-0739
Created:April 28, 2005 Updated:May 4, 2005
Description: The IAPP dissector of Ethereal is vulnerable to a buffer overflow. A remote attacker may be able to create a special network packet in order to take advantage of the problem.
Debian DSA-718-2 ethereal 2005-04-28
Debian DSA-718-1 ethereal 2005-04-28

Comments (none posted)

gzip: race condition and directory traversal

Package(s):gzip CVE #(s):CAN-2005-0988 CAN-2005-1228
Created:May 4, 2005 Updated:July 13, 2005
Description: gzip suffers from a race condition which could allow a fast-fingered attacker to change the permissions on files owned by others. There is also a directory traversal vulnerability associated with the -N option.
Debian DSA-752-1 gzip 2005-07-11
Red Hat RHSA-2005:357-01 gzip 2005-06-13
OpenPKG OpenPKG-SA-2005.010 openpkg 2005-06-10
OpenPKG OpenPKG-SA-2005.009 gzip 2005-06-10
Mandriva MDKSA-2005:092 gzip 2005-05-18
Gentoo 200505-05 gzip 2005-05-09
Trustix TSLSA-2005-0018 gzip 2005-05-06
Ubuntu USN-116-1 gzip 2005-05-04

Comments (none posted)

Horde Framework: multiple XSS vulnerabilities

Package(s):horde CVE #(s):
Created:May 2, 2005 Updated:May 3, 2005
Description: Cross-site scripting vulnerabilities have been discovered in various modules of the Horde Framework.
Gentoo 200505-01 horde 2005-05-01

Comments (none posted)

ImageMagick: heap corruption

Package(s):ImageMagick CVE #(s):CAN-2005-1275
Created:April 28, 2005 Updated:May 25, 2005
Description: ImageMagick 6.2.1 and earlier has a heap corruption problem in the pnm coder.
Red Hat RHSA-2005:413-01 ImageMagick 2005-05-25
Ubuntu USN-132-1 imagemagick 2005-05-23
Gentoo 200505-16 imagemagick 2005-05-21
Fedora FEDORA-2005-344 ImageMagick 2005-04-27

Comments (1 posted)

infozip: privilege escalation, directory-traversal

Package(s):infozip CVE #(s):CAN-2003-0282 CAN-2004-1010 CAN-2005-0602
Created:May 2, 2005 Updated:August 1, 2005
Description: InfoZip reports that Zip 2.3 and (presumably) all previous versions have a buffer-overrun vulnerability relating to deep directory paths that could potentially lead to local privilege escalation (e.g., in the case of automated, Zip-based backups). All versions of UnZip through 5.50 have a number of directory-traversal vulnerabilities.
Ubuntu USN-159-1 unzip 2005-08-01
Slackware SSA:2005-121-01 infozip 2005-05-02

Comments (1 posted)

libnet-ssleay-perl: weakened cryptographic operations

Package(s):libnet-ssleay-perl CVE #(s):CAN-2005-0106
Created:May 3, 2005 Updated:January 27, 2006
Description: Javier Fernandez-Sanguino Pena discovered that this library used the file /tmp/entropy as a fallback entropy source if a proper source was not set in the environment variable EGD_PATH. This can potentially lead to weakened cryptographic operations if an attacker provides a /tmp/entropy file with known content.
Mandriva MDKSA-2006:023 perl-Net_SSLeay 2006-01-26
Ubuntu USN-113-1 libnet-ssleay-perl 2005-05-03

Comments (none posted)

phpMyAdmin: insecure SQL script installation

Package(s):phpMyAdmin CVE #(s):
Created:May 2, 2005 Updated:May 3, 2005
Description: The phpMyAdmin installation process leaves the SQL install script with insecure permissions. A local attacker could exploit this vulnerability to obtain the initial phpMyAdmin password and from there obtain information about databases accessible by phpMyAdmin.
Gentoo 200504-30 phpmyadmin 2005-04-30

Comments (none posted)

postgresql: database initialization errors

Package(s):postgresql CVE #(s):CAN-2005-1409 CAN-2005-1410
Created:May 4, 2005 Updated:February 28, 2006
Description: PostgreSQL suffers from two vulnerabilities in how databases are set up by default; they allow a local attacker (one with access to the database) to crash the back end and, perhaps, execute code with the privileges of the server process. See this advisory for details and workarounds.
Fedora-Legacy FLSA:157366 PostgreSQL 2006-02-27
Mandriva MDKSA-2005:093 postgresql 2005-05-26
Red Hat RHSA-2005:433-01 postgresql 2005-06-01
Gentoo 200505-12 postgresql 2005-05-15
Fedora FEDORA-2005-368 postgresql 2005-05-10
Ubuntu USN-118-1 postgresql 2005-05-04

Comments (none posted)

Pound: buffer overflow

Package(s):pound CVE #(s):CVE-2005-1391
Created:May 2, 2005 Updated:January 10, 2006
Description: Steven Van Acker has discovered a buffer overflow vulnerability in the "add_port()" function in Pound 1.8.2+. A remote attacker could send a request for an overly long hostname parameter, which could lead to the remote execution of arbitrary code with the rights of the Pound daemon process.
Gentoo 200504-29 pound 2005-04-30

Comments (none posted)

prozilla: format string vulnerabilities

Package(s):prozilla CVE #(s):CAN-2005-0523
Created:May 4, 2005 Updated:May 4, 2005
Description: Several format string vulnerabilities have been found in prozilla; an exploit requires a malicious server.
Debian DSA-719-1 prozilla 2005-04-28

Comments (none posted)

smartlist: wrong input processing

Package(s):smartlist CVE #(s):CAN-2005-0157
Created:May 3, 2005 Updated:May 3, 2005
Description: Jeroen van Wolffelaar noticed that the confirm add-on of SmartList, the listmanager used on, which is used on that host as well, could be tricked to subscribe arbitrary addresses to the lists.
Debian DSA-720-1 smartlist 2005-05-03

Comments (none posted)

tcpdump: multiple DoS issues

Package(s):tcpdump CVE #(s):CAN-2005-1280 CAN-2005-1279 CAN-2005-1278
Created:May 2, 2005 Updated:April 10, 2006
Description: The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. (CAN-2005-1280)

tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet, which is not properly handled by RT_ROUTING_INFO, or LDP packet, which is not properly handled by the ldp_print function. (CAN-2005-1279)

The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet. (CAN-2005-1278)

Fedora-Legacy FLSA:156139 tcpdump 2006-04-04
Debian DSA-850-1 tcpdump 2005-10-09
Mandriva MDKSA-2005:087 tcpdump 2005-05-11
Red Hat RHSA-2005:417-02 tcpdump 2005-05-11
Red Hat RHSA-2005:421-02 tcpdump 2005-05-11
Gentoo 200505-06 tcpdump 2005-05-09
Ubuntu USN-119-1 tcpdump 2005-05-06
Fedora FEDORA-2005-351 tcpdump 2005-05-02

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds